Automated Vulnerability Assessments are not Enough

Tuesday, June 26, 2012

Article by Ahmad Taha Zaki

For the last few years, a concept has grown within the Information Technology field that conducting an automated vulnerability assessment, maybe followed a penetration test, is enough to determine and validate vulnerabilities within an information system (IS).

Considering these processes as a full security assessment, within the following lines we will explain the process of an IS Audit and why it is important for one to be performed side by side with vulnerability assessments and penetration testing.

An IS audit usually depends upon certain checklists, but it incorporates the use of various systems’ reports, user interface, and sometimes with respect to the experience of the auditor, upon the business logic and the need-to-know principle.

An assessment including only automated vulnerability assessments and penetration testing can detect weak passwords, but can’t inform us whether the account holder needs the rights they currently have or not.

It can detect un-patched services, but can’t inform us whether these services are authorized to be there in the first place or not.

It can detect misconfiguration of some firewall rules, but can’t inform us about its correct complete rule set.

So what we really need is a holistic approach that can detect/validate vulnerabilities besides determine whether or not the very specific system complies with the entity’s information security policy, in this case an IS audit needs to be added to our set of activities to perform a complete security assessment.

We won’t be discussing vulnerability assessments and penetration testing within the rest of this article, we will rather focus upon the IS audit process.